CVE-2025-68551

2025-12-23 [email protected]
Information Disclosure

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 23, 2025 - 12:15 nvd
N/A

DescriptionNVD

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm v-form allows Retrieve Embedded Sensitive Data.This issue affects VPSUForm: from n/a through <= 3.2.24.

AnalysisAI

VPSUForm WordPress plugin versions 3.2.24 and earlier expose sensitive embedded system information to unauthorized users via improper access controls, allowing attackers to retrieve data that should be restricted to administrators or authenticated users. The vulnerability affects a widely-deployed WordPress form plugin and has an EPSS score of 0.05% (low exploitation probability), with no confirmed active exploitation or public exploit code at the time of analysis.

Technical ContextAI

VPSUForm is a WordPress plugin (CPE identification: wordpress-plugin-vpsuform) that handles form creation and submission functionality. The vulnerability stems from CWE-497 (Exposure of System Data to an Unauthorized Control Sphere), which occurs when sensitive system information-such as configuration details, file paths, database structure, or authentication tokens-is inadvertently exposed to users or processes without proper access controls. In this case, the plugin fails to properly validate or restrict access to embedded sensitive data within form structures or responses, allowing unauthenticated or minimally-privileged users to retrieve information intended for administrative use only. The issue likely involves insufficient input validation or missing authorization checks on API endpoints or form processing functions.

Affected ProductsAI

Vikas Ratudi VPSUForm (WordPress plugin) version 3.2.24 and all earlier versions are affected. No specific CPE string is provided in available data, but the plugin can be identified as WordPress-plugin-vpsuform. The vulnerability affects all installations of this plugin through version 3.2.24. Additional CPE or version range precision is not available from the provided references.

RemediationAI

Update VPSUForm WordPress plugin to a version higher than 3.2.24 immediately. The vendor has addressed this vulnerability in a patched release; consult the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/v-form/vulnerability/wordpress-vpsuform-plugin-3-2-24-sensitive-data-exposure-vulnerability) for the exact patched version number and installation instructions. As an interim measure, restrict access to VPSUForm admin pages and form processing endpoints via WordPress role-based access controls (RBAC) to minimize exposure of embedded sensitive data. Additionally, audit form outputs and API responses to identify any already-exposed sensitive information and rotate credentials if necessary.

Share

CVE-2025-68551 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy